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1. Introduction 

Quantum oblivious transfer(QOT) and quantum bit commitment(QBC) 
protocols are basic aspects of quantum cryptography. The study of QOT 
was started by Crepeau and Kilian [1], In 1992, a practical QOT protocol 
was been proposed [2] . However, in these two protocols, if Bob measures the 
pulses after Alice discloses the bases, he will get both messages and Alice’s 
privacy can be destroyed. In 1993, a well-known QBC scheme was been pre¬ 
sented [3], which usually referred to as BCJL scheme was once believed as a 
provably secure scheme. Crepeau proposed a QOT protocol [4] on top of this 
QBC scheme in 1994 to ensure Bob cannot delay his measurement. Then 
Yao proved it a secure protocol based on the security of QBC [5]. Unfortu¬ 
nately, Mayers found that the BCJL scheme was insecure [6]. Later, Mayers, 
Lo and Chau separately present no-go theorem and prove that there is no 
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non-interactive quantum bit commitment protocols with statistical security 
[7-9]. Therefore, researchers believe that QOT protocols whose security are 
usually based on QBC are insecure. 

However, it isn’t the only way to construct a QOT protocol based on QBC. 
Several researchers have made efforts in this direction[10-12]. In this paper, 
we construct a random oblivious transfer protocol based on non-orthogonal 
states transmission over a quantum channel. Then, as that usually do in 
modern cryptography [13], construct a one-out-of-two oblivious transfer pro¬ 
tocol on top of the R-OT protocol. In this scheme, Alice does not tell Bob 
the bases and there is no need to forbid Bob to delay the measurement by 
QBC protocols[14]. The protocols can be applied in the practical applica¬ 
tion allowing the imperfect of sources, the quantum channel and detectors. 
Then we present a bit commitment protocol based on this QOT protocol. 
Considering error-correcting code and tolerable error rate, we describe the 
protocols in detail and analyze the security and problem we probably face to 
in practice. 

2. Conditions in practice 

As a practical protocol, these situations should be considered: 

1. Alice’s emission apparatus. As practical and efficient single-photon 
sources have yet to be realized, weak coherent pulses with typical av¬ 
erage photon number of /ig which can be easily prepared by standard 
semiconductor lasers and calibrated attenuators are used in the follow¬ 
ing protocols. The error rate caused by the emission apparatus is eg. 
A pulse is requested to contain only one kind of polarization but more 
than one photons in a pulse are allowed. 

2. Channel loss and error. The existence of channel loss leads to an im¬ 
perfect transfer efficiency. And the noises in channel lead to channel 
error. Suppose the transfer efficiency of the channel is r/c, the error 
rate caused by channel is ec- 

3. Bob’s detection apparatus. In practice it is impossible that Bob has 
detectors with perfect efficiency. The quantum efficiency tjd is the 
probability that the detector registers a count when one photon comes 
in. And the error rate caused by the detection apparatus is e D , which 
the main error source is the dark count d. 


2 


To simplify the protocol, assume that Alices emission apparatus and Bobs 
detection apparatus are both prepared by the trusted third party. They all 
know the quantum efficiency rju , the dark count rate d of Bobs detectors 
and the typical average photon number ps of light pulses that Alice will 
send to Bob and the transfer efficiency rjc■ Suppose the the typical average 
photon number in detectors is p — PsVcVd, the overall error rate is £ = 
1 — (1 — £s)(l — £c){ 1 — £d)- 

3. Practical protocols 

Definition 1. (Random Oblivious Transfer (R-OT) Channel) Alice 
sends a random bit r to Bob via a channel, if 

1. Bob obtains the bit value r with a probability p satisfies 0 < (3 < p < a, 
a < \, a and (3 are any two real numbers; 

2. Alice cannot know whether Bob has get the value of her bit. 

Then, the channel is named a R-OT channel (an extended Rabin’s OT chan¬ 
nel). 

To construct a quantum R-OT protocol, we use two non-orthogonal states. 
There is no measuring apparatus can distinguish between these two states 
with certainty, only some probabilistic information can be obtained. Let Al¬ 
ice send a sequence of photons in two quantum states | fi/ 0 ), |Ti) randomly, 
where (TolTi) = cos ip. Here we choose <p — |. Although there are kinds 
of measurements for Bob, to simplify the protocol to be a practical one, 
we choose an easy one: Bob measures the coming photons in two basis, 
B 0 = {|T 0 ),|T 0 ) _l } and B i = {|T 1 ),|'L 1 )- l } randomly. If his measurement 
results in |T.„), he could not distinguish which state was sent by Alice. If 
his measurement results in |'3 / ^ 01 ), orthogonal to IT^i), he know that the 
initial state could not be IT^i) and therefore was Id's). In an ideal world, 
Alice’s probability of sending IdR) is | and Bob’s probability of detecting a 
proton in B x<s i is also \. Therefore, the probability of getting a conclusive 
result is 

Pideai = ^ x ^('L a .|T^ el )(T^ el |T x ) x 2 = ^ sin 2 ^ ^ (1) 
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Protocol 1. Practical quantum R-OT protocol 

1. Alice and Bob decide on a series of security parameters. The number 
of photons in a pules with typical average photon number of p s °bey 
Poisson distribution. 

Pn(ps) = -j- 2 

n\ 

Form Equation (2), the probability of no photons in the pulse is Po(hs) — 
e~^ s . It is easily to see the Poisson probability of detecting the photons 
in a pulse with typical average photon number p s through a channel 
with transfer efficiency r)c by a detector with quantum efficiency rjo 
is 1 — e -/t . They can set the fraction a which is the probability Alice 
expects Bob to detect successfully around to 1 — e -M and set error rate 
e set to £ or a little bit higher to allow other noises. The parameters 
are in accord with the equation H(2£ set ) < I — (1 — e -Ms — ps e ~^ s )/^ a 
to resist photon number splitting attack [2]. They agree on a security 
parameter N which will be used below. They choose an information 
reconciliation scheme for about aN bits words with expected error rate 
£ set . After using these, the error rate will reduce to P x . 

2. Alice and Bob perform two tests with their apparatus. 

First, they compare the sending time t, with the receiving time t\ for 
each pulse. Since the distance between them is fixed, they can easily get 
the traveling time 9, i.e. 9 = t\ — ti. This test can not only mark the 
address of each pulse, but also decrease the error caused by noises and 
dark counts. 

Second, Alice sends sequence of pulses through a quantum channel and 
tells Bob the bases of the pulses through a classical channel. Bob de¬ 
tects the pulses in the other bases. If and only if he detects the pulses 
successfully with a probability greater than a and a error rate less than 
£ set , he agrees to continue the protocol. Otherwise, they take counsel 
together to adjust the parameter a or £ set . 

3. Bob prepares a random qubit string |$i),|$ n ) and sends it to Alice, 
where |$j) e { |0), |1), |+), |—)} 

4- Alice generates random bit string (ri,...,r N ) e {0,1}^. When r t = 0, 
she keeps the ith qubit unchanged and sends it back to Bob; when r* = 1, 
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she rotates the state along y axis with | ; and sends the qubit back to 
Bob, that is 

jn = o, 1 $*)—> 1$*), 

1n = i, |$*)— + 

She also tells Bob the sending time A of each pulses through a classical 
channel, i G {1, 2, N}. 

5. Bob tells Alice the receiving time of the receiving pulses. The number of 
them is expected to be aN. He chooses B 0 or B\ randomly to measure 
the pulses coming from Alice, where |'& 0 ) = |$i) and |\&i) = |+ |). 
He records the receiving time tf of each pulse and compares with the 
sending time. If and only ift\ = ti + 9, he admits |\& ri ) a receiving pulse. 
From these receiving pulses, if and only if his measurement results in 
state | X I / LC ) , he accepts a pulse as a conclusive pulse and takes the bit 
value of this pulse as x A) 1. 

6. Alice and Bob use the information reconciliation scheme mentioned in 
Step 1 to reduce the error in the receiving bits. 

If Alice can get a bit’s value and ensure that it is a conclusive bit, the 
qubit Bob obtained must be in a pure state. Therefore, Alice cannot execute 
EPR attack, and then, she cannot know whether a bit with a given value has 
been taken as a conclusive bit by Bob. 

Protocol 2. OT^ protocol 

1. Alice and Bob execute protocol 1. Bob's probability of getting a con¬ 
clusive bit is Pcon(h), which is to be analyzed later. Therefore Bob is 
supposed to obtain Np con (n ) conclusive bits after this step. 

2. Bob selects I = {A,..., A} and J = {j i,... ,jk} with ID J — 0. The k 
bits r^,, ri k are chosen from his conclusive bits. In practice, if the 
conclusive bits in Bob’s hand are a little less than k, he should random 
adds it to k. 

3. Bob chooses a random bit with value m. If m = 0, he sends {X, Y} = 
{/, J} to Alice. Otherwise, he sends {X, Y} = {J, I}. 
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4- After receiving (. X , Y), Alice generates local random bit-string R 0 , Ri G 
{0,l} fc and encrypts her messages bo, b\ as 

f c 0 = E x (R 0 ,b 0 ) G {0, l} fc+1 ,x = (n\i G A"), 

\ Ci = E y (R 1} b 1 ) G {0,l} fc+1 ,j/ = {ri\i G Y), 

where x,y are the encryption keys. Alice sends cq, ci to Bob and keeps 
Ro, R\ secret. 

5. Bob decrypts that coming from Alice to obtain (. R m ,b m ) = D key (c m ) 
with key = G I). 

In practice, the physical system and the coded bit string are necessary to 
cause error. Therefore, this kind of OT protocols has a certain probability 
of error. But it does not impact us to construct a bit commitment protocol. 

If Alice regards the two bits in Protocol 2 as a committed bit, her best 
cheating strategy is to commit 0 with a probability | and commit 1 with a 
probability \. And change half of them in open phase. For each bit, the 
probability that a cheating Alice can not be detected is 25%. Thus even the 
error rate of OT^ is 20%, a cheating Alice could be detected by Bob. 

We can construct a bit commitment protocol by executing the protocol l 
times as follows: 

Protocol 3. Bit commitment protocol 

Commit phase: 

1. Alice randomly divides her commit value as b = b^ © b± \ i = 1,...,/. 
Then there are l same value ofb. 

2. Bob generates local random numbers {m j = 0, l|i = 1,..., /}. 

3. Alice executes protocol 2 with Bob l times, and Bob can obtain the 
values {bm,\i — 1 ,... , 1 } and {R l fn,\i — 1 


Open phase: 


1. Alice opens {6?, b?] Rq\ R?; r£ } (i) ,..., r£ (i) ; r £ (i) \i = l,...l} 


(*) . „(*) 


„(0 


2. Bob verifies whether {b { 0 l) , b^; Rq\ R^; r^,..., r] ^ 


.W .Ji) 


,(0 I 


1,.../} is consistent with his {bm,; RmP, ..., = 1,.../} and 

those conclusive bits in J. If the consistency holds, he admits Alice’s 
commit value as b. 
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4. Analysis on error rate 

Alice and Bob use (63,57,3) Hamming code and the specific information 
reconciliation scheme executed in Protocol 1 Step 5 is as follows. 

1. l obt denotes the number of k bits in set / or J before using this scheme. 
Alice divides both of l obt bits into 63-bit blocks and performs the wire 
link permutation W on it. When l obt = 63 |~^] — A, A bits of the 
block in front should be added to the last block. Then calculate the 
syndromes and discard the check bits of each block. Repeat above 
operations four times and send these syndromes to Bob. 

2. Bob divides his l Q bt bits into 63-bit blocks and performs the wire link 
permutation W on it. When l Q bt = 63 |"^-~| — A, A bits of the block in 
front should be added to the last block. For each round, he calculates 
the syndromes <Sr z and S; = Sa, © Sb v Correct the error in each block 
and discards all check bits. 

After discard all check bits, the remain bits as the bits in set I or J in 
Protocol 2. 


k 


57 


lobt 

63 


-A 


lobt 6 


lobt 

63 


(3) 


Suppose the error rate of each bit in Protocol 1 is £± — 0.3%. After informa¬ 
tion reconciliation, the error rate can be reduced to e\ = 0.0757% [15]. 

Assume as long as there is one bit error in key used in the decryption 
algorithm, Bob can not obtain b m or R m in Protocol 2. The error rate of 
Protocol 2 is £ 2 - The relation of £2 and e\ is 

£2 = l-(l-£;) fc (4) 

When = 0.0757%, £ 2 is shown in Figure 1. 
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Figure 1: The error rate of Protocol 2 with respect to the size of sets 

When the sets contain less than 295 bits, the error rate of Protocol 2 can 
be less than 20%. 

5. Analyze what Bob can obtain and determine the parameteres 

5.1. Analysis on honest Bob 

Let |n 0 ) and |ni) denote n-photon state of polarization 0 and |, respec¬ 
tively. For an honest Bob, if he chooses the measurement bases B i to detect 
|1 0 ), the probability of the state collapse to ll^) is For |no), the proba¬ 
bility of at least one of the photons collapse to the state with polarization of 
^ is 1 — (§)"• Therefore, the probability of getting a conclusive resulting in 
a pulse which contains n photons is 

pH = l 
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From Equation(2) and Equation(5), the probability of getting a conclusive 
bit in a pulse is 


Pcon(p) 


Y^Priili) X p{n)\ 

n —1 



1 

2 

1 

2 


£ 

n= 1 


e ^p n 


n\ 


_ kL 

— e 4 



n=l 




( 6 ) 


It can be seen that an honest Bob is supposed to obtain Np con (p) con¬ 
clusive bits. The probability of getting a conclusive bit in one pulse with 
different /i can be seen in Figure 2. The larger ps of emission apparatus and 
more efficient detector they use, the higher efficiency the protocol is. 


Peon (p) 



Figure 2: The probability of an honest Bob gets a conclusive bit with respect to /i 


5.2. Analysis on malicious Bob 

A malicious Bob can separate n photons by photon number splitting 
attack. For single-photon, the successful probability of optimal measurement 
to differentiate the two non-orthogonal states is 1 — cosip, which has been 
proven [16-18]. For n photons, a malicious Bob’s probability of differentiating 
the two-orthogonal sates is 
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p'(n) = 1 — cos n ip. 


( 7 ) 


Then a malicious Bob using photon number splitting attack and optimal 
measurement for single-photon can get conclusive bits with the probability 
of 


p'con(v) = ^Pn(p) X p'[n) = 1 - e ^ (8) 

n=i 


Here we consider that the malicious Bob has an ideal detector, the quan¬ 
tum efficient rf D of which is 1. Thus, p! = psVc = Assume the protocols 
are executed over atmospheric channel, the quantum efficiency of honest 
Bob’s detector p D is 80% and this kind of detector has been already realized 
in laboratory. The cheating Bob’s probability of getting a conclusive bit is 

Pcon(Ps) = l~e~^ {1 ~^ ) (9) 

A malicious Bob will get about 1 — conclusive bits. 


p" can <M) 



Figure 3: The probability of a malicious Bob gets a conclusive bit with respect to /i 


5.3. Contrastive analysis 

The difference between an honest Bob’s probability of obtaining a con¬ 
clusive bit and half of a malicious Bob’s probability of obtaining a conclusive 
bit is Pdiff(p) = pcon(p) ~ \p'con(p)i which can be seen in Fig 4. 
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Figure 4: The difference between an honest Bob’s probability of obtaining a conclusive bit 
and half of a malicious Bob’s probability of obtaining a conclusive bit with respect to f.i 

When fi = 4.85, the function has a maximum 0.0732. The probability of 
obtaining i conclusive bits is p 0 u, which is referred to the binomial distribu¬ 
tion. 


Pebt 



Figure 5: The solid line denotes the probability of an honest Bob obtains i conclusive bits 
when N = 800, /i = 5. It can be seen an honest Bob can obtain more than 259 conclusive 
bits with a great probability. The dashed line denotes the probability of a malicious Bob 
obtains i + 259 conclusive bits. 

5.4- Determine the parameters in practical protocols 

Suppose the probability of the cases that the number of conclusive bits 
obtained by an honest Bob is equal to or less than l obt be pi, and the proba¬ 
bility of the cases that the number of conclusive bits obtained by a malicious 
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Bob is equal to or greater than 2 l obt be p 2 . 

lobt 


■-^^[pcoMYll - p con (p)) N 1 

i =0 

(10) 

N 

C N[p'con^)] l [ l ~ P'am{k)} N ~ l 

(ii) 


i=2l n 


As the honest Bob should execute Protocol 2 successfully and the malicious 
Bob can not obtain both 6 0 and b±, p\ and p 2 should be small enough. 

The probability of an honest Bob cannot execute Protocol 2 successfully 
is p. 


P = 1 —(1-£ 2 )(1—Pr). (12) 

To detect a cheating Alice, p should less than 20%. Given a e 2 , p\ has a 
upper bound p u to ensure p < 20%. To ensure the concealing of the bit 
commitment protocol, p 2 should be controlled to be a magnitude of 10 -6 . 


Table 1: When p = 20%, N = 800, p 2 is controlled to be a magnitude of 10 6 , the selection 
of parameters with different p. 


p 

Pcon{_f^) 

P'conil l ) 

lobt 

k 

^2 

Pit 

Pi 

P2 

2 

0.197 

0.285 

143 

131 

0.0944 

0.117 

0.107 

3.25 x 10" 6 

3 

0.264 

0.395 

190 

172 

0.122 

0.0887 

0.0484 

1.85 x 10" 6 

4 

0.316 

0.488 

228 

210 

0.147 

0.0621 

0.0312 

1.53 x 10" 6 

5 

0.357 

0.567 

260 

236 

0.164 

0.0435 

0.0324 

7.45 x 10“ 7 

6 

0.388 

0.634 

283 

259 

0.178 

0.0267 

0.0236 

4.73 x 10" 6 


When p is too low, the difference between the probability of obtaining a 
conclusive bit by an honest or a malicious Bob is not large enough to select 
proper parameters. When p is too large, a proper k is too large to lead to a 
large e 2 and we cannot select proper parameters either. It can be seen from 
Table 1, when 2 < p < 6, we can always find other proper parameters to 
execute the protocols successfully. 

6. Security 

6.1. Concealing of bit commitment protocol 

Suppose the probability of a malicious Bob obtains both of two messages 
in OTf protocol p 2 is controlled to be a magnitude of 1CT 6 , the times of 
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executing OTf protocol in bit commitment protocol / is 25, a malicious Bob 
can obtain what Alice has committed before open phase with a probability 
of 


p br = 1 - (1 - 10“ 6 ) 25 « 2.5 x 10~ 5 (13) 

In practical protocol, the probability of breaking the concealing of bit com¬ 
mitment around 5 x 1CT 5 is allowed. 

6.2. Binding of bit commitment protocol 

When Alice tries to attack the binding of bit commitment protocol, she 
changes the value of b^ or b[ l \ But some of these values are fixed after 
execute Protocol 2, and Alice has no idea about which bits Bob obtains, 
even no-go attack can not help. If OTf is secure, what she only can do is 
to choose randomly the changing bit between and b[ l> for each i. The 
probability that Bob can obtain a correct b 0 or bi successfully is 1 — p = 0.8 
and the probability that a cheating Alice can be detected is 0.4. Therefore, 
for l = 25, Alice’s success probability of attacking is 

p br = (1 - 0.4) 25 « 2.8 x 10" 6 (14) 

In practical protocol, the probability of breaking the binding of the bit com¬ 
mitment around 2.8 x 10 -6 is allowed. 

7. Discussions 

In this paper, we analyze the situation that the protocols are executed 
on atmospheric window with a high efficiency detector of 80%. Otherwise, if 
a malicious Bob has a greater ability to obtain information near Alice’s site 
and has a super channel, the transfer efficiency could be 100%. To defend the 
attack, the efficiency of transfer and an honest Bob’s detector r]c'r]D should 
be increased to 80%. 

If we execute the protocols in optical fiber, the bit commitment protocol 
can be realized between two parties with a long distance. For a malicious Bob 
who uses photon number splitting attack and has a detector with a efficiency 
less than r g D /80%, the analysis and security of the protocol also hold true. It 
means that our protocols is probably applied over a long distance in future. 
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8. Conclusion 

Based on two non-orthogonal states, we construct a random oblivious 
transfer protocol. Then we construct a one-out-of-two oblivious transfer pro¬ 
tocol on top of the random OT protocol. Finally, we present a bit com¬ 
mitment protocol based on the one-out-of-two protocol. The security of 
concealing is kept by measurement hypothesis and superposition principle of 
state in quantum mechanics. Since the no-go theorem type attack can not 
work because of random |<f>j), the binding of the bit commitment protocol 
is secure [14], By using weak coherent pulses and allowing some error, our 
protocols can be applied in practice. With the advent of the higher efficiency 
detectors in optical fiber, our protocol can be realized with a long distance. 
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